gitleaks
Installation
SKILL.md
Gitleaks Secret Detection
When to Use Gitleaks
Ideal scenarios:
- Scanning for hardcoded secrets in source code
- Auditing git history for leaked credentials
- Pre-commit hooks to prevent secret commits
- CI/CD pipeline secret detection
- Finding API keys, passwords, tokens, private keys
- Compliance requirements for credential management
Complements other tools:
- Use before manual code review to catch obvious secrets
- Combine with SARIF Issue Reporter for detailed analysis
- Use alongside Application Inspector for comprehensive security audit
When NOT to Use
Do NOT use this skill for:
- Code vulnerability detection (use Semgrep or CodeQL)
- Dependency scanning (use OSV-Scanner or Depscan)
- IaC security analysis (use KICS)
- Technology profiling (use Application Inspector)
- Finding secrets in binary files or compiled code
Installation
# Homebrew (macOS/Linux)
brew install gitleaks
# Binary download
wget https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks-linux-amd64
chmod +x gitleaks-linux-amd64
sudo mv gitleaks-linux-amd64 /usr/local/bin/gitleaks
# Docker
docker pull ghcr.io/gitleaks/gitleaks:latest
# Go install
go install github.com/gitleaks/gitleaks/v8@latest
# Verify
gitleaks version
Core Workflow
1. Quick Scan
# Scan current directory (git repo)
gitleaks detect
# Scan specific directory
gitleaks detect --source /path/to/repo
# Scan uncommitted changes only
gitleaks protect
# Scan with no banner/color (for CI)
gitleaks detect --no-banner --no-color
2. SARIF Output
# Generate SARIF report
gitleaks detect \
--report-format sarif \
--report-path results.sarif
# With additional options
gitleaks detect \
--source /path/to/repo \
--report-format sarif \
--report-path results.sarif \
--no-banner \
--no-color \
--exit-code 0
# Redact secrets in output
gitleaks detect \
--report-format sarif \
--report-path results.sarif \
--redact
3. Scan Git History
# Scan all commits
gitleaks detect --source /path/to/repo --verbose
# Scan specific commit range
gitleaks detect --log-opts="--since='2024-01-01'"
# Scan specific branch
gitleaks detect --source /path/to/repo --log-opts="origin/main"
4. Additional Formats
# JSON output
gitleaks detect --report-format json --report-path results.json
# CSV output
gitleaks detect --report-format csv --report-path results.csv
# JUnit XML
gitleaks detect --report-format junit --report-path results.xml
Configuration
Custom Config File
Create .gitleaks.toml:
title = "Gitleaks Configuration"
[extend]
# Extend default config
useDefault = true
[[rules]]
id = "custom-api-key"
description = "Custom API Key Pattern"
regex = '''(?i)api[_-]?key['\"]?\s*[:=]\s*['\"]([a-z0-9]{32,})'''
keywords = ["apikey", "api_key"]
[[rules]]
id = "slack-webhook"
description = "Slack Webhook URL"
regex = '''https://hooks\.slack\.com/services/T[a-zA-Z0-9_]{8,}/B[a-zA-Z0-9_]{8,}/[a-zA-Z0-9_]{24,}'''
[[rules]]
id = "aws-access-key"
description = "AWS Access Key"
regex = '''AKIA[0-9A-Z]{16}'''
keywords = ["AKIA"]
[allowlist]
description = "Allowlist for false positives"
regexes = [
'''EXAMPLE_API_KEY''',
'''placeholder-secret''',
'''test-token-123'''
]
paths = [
'''.gitleaks.toml''',
'''README.md''',
'''docs/'''
]
Use Custom Config
gitleaks detect --config .gitleaks.toml
# With SARIF output
gitleaks detect \
--config .gitleaks.toml \
--report-format sarif \
--report-path results.sarif
Ignoring False Positives
Inline Comments
# gitleaks:allow
api_key = "this-is-a-test-key-not-real"
password = "example-password" # gitleaks:allow
.gitleaksignore File
Create .gitleaksignore:
# Ignore specific findings by fingerprint
fingerprint:abc123def456
# Ignore files
tests/fixtures/secrets.txt
docs/examples/*.py
# Ignore commits
commit:a1b2c3d4e5f6
Baseline Mode
# Create baseline of existing findings
gitleaks detect --report-path baseline.json --report-format json
# Scan only new findings
gitleaks detect --baseline-path baseline.json
CI/CD Integration (GitHub Actions)
name: Gitleaks
on:
push:
branches: [main]
pull_request:
schedule:
- cron: '0 0 * * 0' # Weekly
jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for complete scan
- name: Run Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} # Optional: for Gitleaks Pro
- name: Generate SARIF
if: always()
run: |
gitleaks detect \
--report-format sarif \
--report-path gitleaks.sarif \
--no-banner \
--no-color \
--exit-code 0
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: gitleaks.sarif
category: gitleaks
- name: Upload Results
if: always()
uses: actions/upload-artifact@v4
with:
name: gitleaks-results
path: gitleaks.sarif
Pre-commit Hook
Install Pre-commit
# Install pre-commit
pip install pre-commit
# Create .pre-commit-config.yaml
cat > .pre-commit-config.yaml << 'EOF'
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.21.2
hooks:
- id: gitleaks
EOF
# Install hook
pre-commit install
# Test
pre-commit run --all-files
Manual Git Hook
# Create .git/hooks/pre-commit
cat > .git/hooks/pre-commit << 'EOF'
#!/bin/bash
gitleaks protect --staged --verbose --redact
EOF
chmod +x .git/hooks/pre-commit
Common Use Cases
1. Initial Repository Audit
# Full history scan with SARIF output
gitleaks detect \
--source /path/to/repo \
--report-format sarif \
--report-path full-audit.sarif \
--verbose
# Review results
sarif summary full-audit.sarif
2. Pre-deployment Scan
# Scan only uncommitted changes
gitleaks protect --staged --verbose
# If secrets found, prevent commit
gitleaks protect --staged --exit-code 1
3. CI/CD Pipeline Integration
# Baldwin.sh pattern
gitleaks dir \
--source /workspace/src \
--report-format sarif \
--report-path /workspace/output/sarif/gitleaks.sarif \
--no-banner \
--no-color \
--ignore-gitleaks-allow \
--exit-code 0
4. Remediation Workflow
# 1. Initial scan
gitleaks detect --report-format json --report-path findings.json
# 2. Review and create baseline
gitleaks detect --report-path baseline.json --report-format json
# 3. Track only new leaks
gitleaks detect --baseline-path baseline.json --verbose
# 4. After cleanup, verify
gitleaks detect --exit-code 1 # Fail if any secrets found
Understanding Output
SARIF Structure
Gitleaks SARIF v2.1.0 includes:
- Rules: Each secret type (API key, password, token, etc.)
- Results: Specific locations where secrets were found
- Properties:
commit: Git commit hash (if applicable)file: File pathstartLine: Line numberendLine: Line numbermatch: Redacted or full secret (depending on--redact)secret: The detected secret (if not redacted)
JSON Output Example
{
"Description": "AWS Access Key",
"StartLine": 42,
"EndLine": 42,
"StartColumn": 15,
"EndColumn": 50,
"Match": "AKIA****************",
"Secret": "AKIA1234567890ABCDEF",
"File": "config/aws.py",
"SymlinkFile": "",
"Commit": "a1b2c3d4e5f6g7h8",
"Entropy": 4.5,
"Author": "developer@example.com",
"Email": "developer@example.com",
"Date": "2024-01-15T10:30:00Z",
"Message": "Add AWS configuration",
"Tags": [],
"RuleID": "aws-access-token",
"Fingerprint": "a1b2c3d4e5f6g7h8:config/aws.py:aws-access-token:42"
}
Advanced Features
Entropy Detection
# Enable entropy scanning (experimental)
gitleaks detect --verbose --log-level debug
Custom Rules Only
# Disable default rules, use custom only
gitleaks detect --config custom-rules.toml --no-default-config
Scanning Specific Files
# Scan only Python files
gitleaks detect --source /code --log-opts="--all -- '*.py'"
# Exclude vendor directories
gitleaks detect --source /code --log-opts="--all -- . ':!vendor'"
Performance Considerations
# Faster scans: limit git log depth
gitleaks detect --log-opts="--max-count=1000"
# Scan only recent commits
gitleaks detect --log-opts="--since='1 month ago'"
# Parallel processing (default)
gitleaks detect --source /large/repo
Limitations
- Binary files: Limited detection in compiled/binary files
- Obfuscation: Misses heavily obfuscated or encoded secrets
- Context-aware: Can't determine if secret is actually valid/active
- False positives: Regex-based, may flag test data or examples
- Git required: Directory scans work, but git history scanning needs .git
Rationalizations to Reject
| Shortcut | Why It's Wrong |
|---|---|
| "Gitleaks found nothing = no secrets" | Obfuscated, encrypted, or dynamically constructed secrets are missed |
| "Only scan code, skip git history" | Secrets in history can still be exploited; attackers check git logs |
| "Disable in CI for speed" | Secret leaks are critical; speed should never compromise security |
| "Mark all as false positive" | Each finding needs review; some may be valid credentials |
| "Don't use --redact in reports" | Unredacted secrets in reports can leak to logs, artifacts, or dashboards |
References
- Repository: https://github.com/gitleaks/gitleaks
- Documentation: https://gitleaks.io/
- Default Rules: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
- SARIF Spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
- Pre-commit Hook: https://github.com/gitleaks/gitleaks#pre-commit
Related skills
More from igbuend/grimbard
tikz
LaTeX TikZ/PGF package for programmatic vector graphics and diagrams. Use when helping users draw flowcharts, trees, graphs, automata, circuits, geometric figures, or any custom diagram in LaTeX.
91latex
Comprehensive LaTeX reference for document creation, formatting, mathematics, tables, figures, bibliographies, and compilation. Use when helping users write, edit, debug, or compile LaTeX documents.
37pgfplots
LaTeX pgfplots package for data visualization and plotting. Use when helping users create line plots, bar charts, scatter plots, histograms, 3D surfaces, or any scientific/data plot in LaTeX.
31biblatex
LaTeX biblatex/biber packages for modern bibliography management. Use when helping users cite references, manage .bib files, choose citation styles, or troubleshoot bibliography compilation.
24ethical-hacking-ethics
Legal and ethical guidelines for bug bounties, pentesting, and security research. Use when conducting authorized security testing.
12amsmath
LaTeX amsmath/amssymb/mathtools packages for mathematical typesetting. Use when helping users write equations, align math, use mathematical symbols, matrices, theorems, or any advanced math formatting.
11